Automated clustered computing appliance disaster recovery and synchronization

ABSTRACT

A system and method for automatic disaster recovery and synchronization of computing appliances configured for operation in a cluster. A configuration bundle that includes configuration data, software revision level and a list of system updates is used to recover or duplicate the computing appliance&#39;s operation state. Upon entering a clustered configuration, the primary node creates a clustered configuration bundle from individual configuration bundles for the registered nodes in the cluster. The clustered configuration bundle can then be used for disaster recovery or synchronization of any of the registered nodes.

RELATED APPLICATIONS

This application claims the priority benefit of U.S. ProvisionalApplication Ser. No. 61/032,342 filed Feb. 28, 2008, the contents ofwhich are incorporated herein by reference in their entirety.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention is related to computer network systems, and moreparticularly, to a system and method for disaster recovery andsynchronization of computing appliances configured for operation in acluster.

2. Background Information

Network administrators are in a constant battle to keep the technologythey manage running smoothly. Areas of particular challenge are disasterrecovery, cluster management and system upgrades. Despite rapidimprovements in computing power, storage technology and networkbandwidth, these activities still prove a challenge to networkadministrators.

Disaster recovery encompasses restoring the operational state and anylost data of the system brought down by the disaster. Disasters canrange from simple mis-configurations causing a single system tomalfunction to multiple system failures due to a natural or man-madedisaster. On either end of the spectrum the faster these missioncritical systems can be brought back to their previous operational statethe better. Unfortunately, the current state of technology typicallyrequires that a network administrator spend hours re-installing softwareand resetting configurations to get systems back online after adisaster.

There has also been an increase in the use of clustered and/or redundantsystems. Clustered systems and redundant systems add additionalcomplexity to the disaster recovery dilemma. If clustered systems areproperly designed and implemented, they tend to keep mission criticalservices online even if one or more nodes in the cluster should fail.This is important because re-installation and re-configuration of thefailed node typically is difficult and time consuming.

In addition, systems such as clustered or redundant systems present theadditional danger that mission critical service could be impacted if thereplacement node is not configured correctly before it is inserted inthe system. Therefore, proper recovery of a clustered system'sconfiguration is critical.

Finally, the current security environment creates a nearly constant needto patch or upgrade systems. Device manufactures are under constantpressure to improve security and performance. Sometimes these pressuresrequire major changes to the operating software. Unfortunately for thealready stressed network administrator, major operating software changesare bound to mean significant configuration changes. In the currentenvironment, network administrators are typically left poring throughmanuals to figure out how to ensure the operational state of theirnetworks are maintained through the upgrade process.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates an example embodiment of a system for automaticallyrecovering, cloning or migration of a computer appliance.

FIG. 2 illustrates an example embodiment of a Configuration Bundle.

FIG. 3 illustrates an example embodiment of the directory structure fora disaster recovery/cloning media.

FIG. 4 illustrates an example method for creating a disasterrecovery/cloning media.

FIG. 5 illustrates an example method for recovering a computingappliance.

FIG. 6 illustrates an example method for recovering a not fullyfunctional computing appliance (node) within a cluster configuration.

FIG. 7 illustrates an example method for migration of a computingappliance to a new operating system while maintaining its previousoperational state.

FIGS. 8A-8C illustrate an example embodiment of a Configuration Bundle.

FIG. 9 illustrates an example method for migration of a computingappliance to a different manufacturer's operating system whilemaintaining its previous operational state.

SUMMARY OF THE INVENTION

The above mentioned problems with disaster recovery, system migrationand other problems are addressed by the present invention and will beunderstood by reading and studying the following specification.

According to one aspect of the invention, recovering a computingappliance after a disaster can be accomplished by using a configurationbundle during the restoration process. First an appropriateconfiguration bundle must be obtained. The configuration bundle needs toinclude a set of configuration data, a software revision level and alist of software updates that describe the operational state of thecomputing appliance prior to the disaster. Once a suitable configurationbundle is obtained it needs to be saved to an external storage device.The external storage device is then made accessible to the computingappliance that needs to be restored. The computing appliance is thenrestored automatically by running an initialization or installationprogram that accesses the configuration bundle and causes the propersoftware to be installed. Finally, the configuration bundle is accessedto restore all necessary configuration settings to return the computingappliance to its previous operational state.

According to another aspect of the invention, migrating a computingappliance to new operating software while maintaining the computingappliance's operational state can be accomplished by using aconfiguration bundle. The process of migrating to new operating softwarebegins by creating a configuration bundle on the target appliance priorto the migration. Once created the configuration bundle is saved to astorage device external to the computing appliance. Then the computingappliance is upgraded to the new operating software and the previousoperational state is restored by providing the installation programaccess to the configuration bundle.

According to yet another aspect of the invention, recovering a computingappliance acting as a node in a clustered system can be accomplishedwithout any previously backed up configuration information. The processof recovering a not fully functional or completely non-functional nodein a cluster starts by identifying a functional node within the cluster.A configuration bundle is then created from the functional node andsaved to a storage device. An installation or initialization program isthen run on the node to be recovered. The installation or initializationprogram installs or fixes the operating software and accesses theconfiguration bundle to restore the node's configuration settings. Therecovered node is fully configured to re-join the clustered system inits pre-malfunctioning operational state.

DETAILED DESCRIPTION OF THE INVENTION

In the following detailed description of the preferred embodiments,reference is made to the accompanying drawings which form a part hereof,and in which is shown by way of illustration specific embodiments inwhich the invention may be practiced. It is to be understood that otherembodiments may be utilized and structural changes may be made withoutdeparting from the scope of the present invention.

The systems and methods of the various embodiments described hereinallow a network administrator of a computer network to manage andrecover various devices whether they operate in a stand-alone orclustered configuration. Embodiments allow the network administrator toupgrade or migrate devices to a new operating system while automaticallymaintaining or recovering the operational state of the device under theold operating software. Other embodiments allow the networkadministrator to recover a device's previous operational state aftersome form of disaster. The disaster could be something as simple asmis-configuration to something as serious as a total hardware failure.In either case, the network administrator will be able to automaticallyrestore the computing device to its previous operational state.Additional embodiments allow the network administrator to clone or copya device's operational state onto a similar device. Cloning allows anetwork administrator to easily replace questionable hardware or build aclustered configuration.

Upgrading or migrating devices to new operating software typicallyrequires recreating the device's current configuration within the newsoftware. This manual reconfiguration process leaves the door open foruser error and also does not account for potential changes inconfiguration options within the new software. Device manufacturers inan effort to keep up with security or performance demands may find itnecessary to add or change the method of configuration between softwareversions. While documentation can be, and usually is, provided with theupgrade, it may be difficult to follow or ignored altogether by thenetwork administrator.

Smooth seamless disaster recovery is the dream of every networkadministrator. No matter how well engineered or maintained equipmentwill ultimately fail or human errors will cause system to becomehopelessly mis-configured. Unfortunately, just having a backup of thedevice's configuration is not helpful, if at all, until the device isrestored to a similar operating software version and patch level. Insituations where a backup was either not made or is out of date,disaster recovery can quickly become more like setting up a whole newnetwork configuration. The difficulties involved in restoring devicescan put organizations at risk, especially if the device is a firewall orother network security device.

The systems and methods of the various embodiments described hereinprovide solutions by implementing an automated device recovery, cloningand migration facility that includes automatic software and firmwarepatch installation and complete configuration recovery.

FIG. 1 illustrates a computer network 100 which depicts variousembodiments. Computer network 100 includes a network 105, a plurality ofcomputing appliances 110, 115, 120, a server 125, an administrationconsole 130, a plurality of network accessible storage devices 140, 145,a plurality of external computer-readable storage devices 135, 150, aremote access gateway 155 and remote server 165. Computing appliances110, 115, 120 may be firewalls, routing devices, security devices, webservers or any other sort of computing device one might utilize in anetworked environment. For the purposes of illustration in the variousembodiments computing appliance 115 will be the computing appliance tobe restored, cloned or migrated to new operating software. The network105 is a local-area or a wide-area network used to transmit data betweenthe various network nodes 110, 115, 120, 125, 130, 140, 145, 155. Theserver 125 is a generic network attached server that also functionswithin some embodiments as a PXE (pre-execution environment) serverallowing for any of the computing appliances 110, 115, 120 to boot fromthe PXE server 125 during the recovery or cloning process. TheAdministration console 130 is utilized within the various embodimentsfor storing Configuration Backups, also known as Configuration Bundles,which are defined further below and in FIG. 2. The Administrationconsole 130 is also utilized within the various embodiments for creatingDisaster Recovery/Cloning (DR/C) media 135, 140. The DR/C media 135, 140is utilized by the computing appliance 115 during the recovery orcloning process to restore the appliance's 115 previous operationalstate.

FIG. 1 also includes a remote access gateway 155 used to connect thenetwork 105 to at least a remote server 165. The remote server 165 isused within various embodiments to illustrate the ability to downloadinstallation software, software patches and firmware patches fromcomputing appliance 115 manufacturer. Downloading software from theremote server 165 is accomplished via FTP, HTTP, HTTPS, BitTorrent,Gopher, Gnutella, WebDAV, or any other commonly supported OSI layer 7protocol. The remote connection 160 can be any sort of broadband or PSTNconnection that supports transport of a OSI layer 7 protocol.

The following embodiments focus on the computing appliance 115 as thetarget device for migration, recovery, or cloning, but it would beunderstood by anyone skilled in the art that any computing device 110,115, 120, whether connected to the network 105 or not, could utilize thesystems and methods disclosed herein.

Configuration Bundle:

A Configuration Bundle or Configuration Backup is the data file whichfacilitates the total recovery of a computing appliance's operationalstate upon restoration, cloning or migration to new operating software.FIG. 2 illustrates an example embodiment of a Configuration Bundle,which includes information from a system database 205, meta-data 210 andone or more configuration files 215, 220, 225, 230. The system database205 includes information such as rules, network objects, policies,administration accounts or other information required for the operationof a computing appliance. The system database 205 is typically unique toeach stand-alone appliance or shared across a plurality of computingappliances operating as a cluster. Clustered environments could include,but are not limited to, high-availability (HA) clusters and one-to-manyload-balancing clusters. The HA clusters could be configured aspeer-to-peer failover, primary/standby failover or load sharing.

In one embodiment, the meta-data 210 is comprised of a series ofkey-value pairs that detail information about the version and patchlevel of the computing appliance or cluster, how the computing applianceis configured to operate (stand-alone or clustered), the computingappliance's domain and other miscellaneous information. Table 1 providesan example listing of information that could be stored in the meta-data210.

TABLE 1 Key: Value: Bundle_type FULL Comment Test configuration bundleCreation_time 01012008093445 Domain test.a.com Patches [60123, 60124,60125, . . . ] Policy_version 123456789.123 Source test2.a.comSystem_version 6.0.1.3.0 System_type SA User testerAAs will become evident later, one of the most critical pieces ofinformation stored in the meta-data is the list of system or firmwarepatches applied to the computing appliance. This list facilitatesautomatic reinstallation of all previously applied patches during arecovery or cloning process.

The configuration files 215, 220, 225, 230 include computing appliancespecific information not suitable for storage in the system database205. For example, domain name service (DNS) may require informationunique to each appliance be stored in a file. Configuration files areunique to each computing appliance regardless of whether the applianceis operating in a stand-alone or clustered configuration. Computingappliances operating in a clustered configuration may share much of theinformation stored in various configuration files. Additionally, in someembodiments the computing appliances in a clustered configuration willhave copies of configuration files 215, 220, 225, 230 from all membersof the cluster. As will be explained in detail later, retaining copiesof configuration files 215, 220, 225, 230 from all members of a cluster(for example 110, 115, 120) allows any member of the cluster to berestored using a Configuration Bundle 235 from any other member of thecluster.

As depicted by FIG. 2, the configuration bundle 235 is created bystoring information from the system database 205, the meta-data 210 andone or more configuration files 215, 220, 225, 230 from one or morecomputing appliances in a single file. FIG. 8A-8C illustrate an exampleembodiment of a combined configuration file stored in a ConfigurationBundle. FIG. 8A-8C illustrate a file structure for combining themeta-data 210, the system database 205 and other computing appliancespecific configuration data. The example embodiment illustrated in FIG.8A-8C would be stored as an encrypted extensible markup language (XML)file. In another example embodiment the configuration bundle 235 isstored as a series of XML or structured data files compressed into asingle archive file using TAR or ZIP technologies. In some embodiments,the Configuration Bundle 235 is automatically encrypted for securitypurposes. In some embodiments the network administrator (end-user) willbe given the option of applying an additional encryption using a key oftheir choosing.

Referring back to FIG. 1, Configuration Bundles 235 can be produced on atarget computing appliance 110, 115, 120 or on an administration console130. Once created, Configuration Bundles 235 can be stored on thecomputing appliance 110, 115, 120, the administration console 130, someform of network attached storage 140, 145 or an externalcomputer-readable storage media 135. Once created Configuration Bundles235 can be stored and backed up in the same manner as any other criticaldata.

Disaster Recovery/Cloning Media:

The Disaster Recovery/Cloning (DR/C) media is some form ofcomputer-readable media, such as a USB flash drive, external hard drive,network attached storage device or internal hard drive, that includes aConfiguration Bundle and all software and firmware patches applied tothe target computing appliance. The DR/C media is used in conjunctionwith some form of initialization or installation program to recover orclone a computing appliance.

FIG. 3 provides a graphical representation of an example embodiment ofthe DR/C media 300. A Configuration Bundle 310, as described in detailabove in reference to FIG. 2, is included on the DR/C media 300 forrestoration or cloning of the computing appliance's configurationsettings. A fail-safe configuration file 315 is included on the DR/Cmedia 300 to ensure that the target device can be restored to a minimaloperational state if somehow the Configuration Bundle was corrupted orotherwise unusable. Finally, a directory of patches or packages 320 isincluded. The patches directory 320 typically includes one or moresoftware or firmware patches 325, 330, 335, 340 that have been appliedto the computing appliance. In some embodiments the patches directory320 will be empty because the target computing appliance will not havehad any patches applied. In other embodiments, the patches directory 320will have at least one patch or package being the base package 325. Thebase package 325, when present, typically represents the base operatingsoftware installed on the target computing appliance.

Creating DR/C Media:

FIG. 4 illustrates the process of creating the DR/C media on the targetappliance 115 or on the administration console 130. The process beginsat step 410 by selecting an appropriate computer-readable medium for useas the DR/C media. In this example embodiment the selected DR/C media isa USB flash memory slick. However, the DR/C media could be any sort ofcomputer-readable medium accessible by the target appliance. Note,references to physical objects such as the DR/C media 135, relate backto FIG. 1.

The process continues with an option to build the build the DR/C media135 on the target computing appliance 115, at step 415. If the networkadministrator chooses to build the DR/C media 135 on the targetcomputing appliance 115, the process moves on to step 420. Otherwise,the process moves on to step 450 building the DR/C on the administratorconsole 130. Building the DR/C media 135 on the target appliance 115ensures easy access to all required data and all installed software orfirmware patches.

In step 420 the network administrator (or end-user) connects the DR/Cmedia 135 to the target computing appliance 115. In this exampleembodiment, connecting the DR/C media 135 involves simply plugging itinto an available universal serial bus (USB) port on the targetcomputing appliance 115. Once connected, the network administrator canstart the creation process by selecting the appropriate option withinthe computing appliance's operating software, at step 425. In anotherembodiment the computing device 115 could be configured to automaticallyrun the DR/C media creation software whenever a certain type of media isattached or when a certain USB port is utilized, eliminating step 425.

At step 430, the computing appliance 115 builds the DR/C payload, whichincludes a Configuration Bundle, Fail-safe Configuration and allinstalled patches (or packages). After the DR/C payload is built at step430, either the system, the user or both can encrypt the payload forsecurity purposes at step 435. The DR/C payload is then saved onto theDR/C media 135 at step 440. Finally, the network administrator candisconnect the DR/C media 135 and store it in a safe location, step 445.In some embodiments, the computing appliance 115 indicates that theprocess is complete by an audible signal, displaying a message on ascreen, sending an e-mail to a pre-configured address or by registeringan event in a network monitoring system.

If the network administrator chooses to build the DR/C media 135 on aadministration console 130, then the process starts at 455 with theconnection of the DR/C media 135 to the administration console 130. Theadministration console 130 then accesses the appropriate ConfigurationBundle saved on the target computing appliance 115, a network server125, the administration console 130 or any other network accessiblestorage devices 140, 145 at step 460. In step 465, the administrationconsole 130 accesses the software and firmware patches or packageslisted in the Configuration Bundle. The required patches or packagescould be accessed from the target computing appliance 115, from theremote server 165, a local server 125 or from any other networkaccessible storage device 140, 145.

At step 470, the administration console 130 builds the DR/C payload,which includes a Configuration Bundle, Fail-safe Configuration and allinstalled patches (or packages). After the DR/C payload is built at step470, either the system, the user or both can encrypt the payload forsecurity purposes at step 475. The DR/C payload is then saved onto theDR/C media 135 at step 480. Finally, the network administrator candisconnect the DR/C media 135 and store it in a safe location, step 485.In some embodiments, the administration console 130 indicates that theprocess is complete by an audible signal, displaying a message on ascreen, sending an e-mail to a pre-configured address or by registeringan event in a network monitoring system.

Disaster Recovery—Stand-Alone Computing Appliance:

The following example embodiment focuses on the recovery of a singlestand-alone computing appliance 115 after some sort of catastrophicdisaster, such as a hard drive failure. Recovery of the computingappliance 115 is facilitated by the DR/C media 135 detailed above. Onceagain all references to physical devices relate back to FIG. 1.

FIG. 5 illustrates an example embodiment of the computing appliancerecovery process 500. The process is initialized by inserting orconnecting installation media to the target device 505. The next step510 involves running the installation or initialization software fromthe installation media. Step 510 is accomplished in an exampleembodiment by rebooting the target computing appliance 115; upon rebootthe computing appliance 115 automatically runs the installation program.In another example embodiment, the computing appliance 115 is configuredto connect to a PXE boot server located on the network 105 upon startup.In this embodiment, the PXE boot server 125 includes the requiredinstallation code. In the various embodiments, the process continues atstep 515 with the operating software being installed automatically.

After the operating software is installed, the computing device 115detects whether or not DR/C media 135 is connected and available, atstep 520. If the computing appliance 115 finds DR/C media 135 theprevious operational state is automatically recovered from the DR/Cmedia, at step 525. If there is not DR/C media 135 connected oraccessible on a network storage device 140, 145, the process moves tostep 530 and allows the network administrator to continue restorationfrom a Configuration Bundle. If the network administrator does not havean appropriate Configuration Bundle, then the process ends with thecreation of a default (or fail-safe) configuration (policy) 545 leavingthe computing appliance in a default operational state.

In one embodiment, the configuration bundle does not include the patchesnecessary to bring the computing appliance 115 up to the requiredrevision level. In those situations, at step 535, the networkadministrator installs any patches or packages necessary to bring thecomputing appliance 115 up to the revision level required by theConfiguration Bundle. This process can be accomplished by accessing thecomputing appliance 115 from the administration console 130 or on thecomputing appliance 115 itself. Working on the computing appliance 115may require connecting some sort of terminal if the computing appliance115 does not include any sort of display device. In an exampleembodiment, the software and firmware patches are stored on theadministration console. In another example embodiment, the software andfirmware patch may be obtained over an internet connection 160 to themanufacturer's remote server 165. In yet another example embodiment, thesoftware and firmware patches are accessed from the network attachedstorage device 145.

Once the computing appliance 115 is brought up to the proper patchlevel, the previous operational state can be restored with theConfiguration Bundle at 540.

In another embodiment, the configuration bundle includes the patches andpackages (or pointers to the patches and packages) necessary to bringthe computing appliance 115 up to the required revision level. In thoseembodiments, the network administrator simply points at theconfiguration bundle and the patches are applied as part of the restoreat 535.

Again, once the computing appliance 115 is brought up to the properpatch level, the previous operational state can be restored with theConfiguration Bundle at 540.

Cloning a Computing Appliance:

The same set of procedures illustrated in FIG. 5 and described above canbe used to clone an operational (or non-operational) computingappliance. This process may be useful to upgrade hardware, add acomputing device to a cluster or create a cold-spare. If the cloneddevice is added to the same network as the original device, the networkadministrator will need to make small configuration changes aftercloning to any device specific parameters like hostname or static IPaddresses.

Disaster Recovery—Clustered Computing Appliance:

Despite careful precautions, backup procedures and ever improvinghardware performance unexpected disasters do happen. The use ofclustered systems for mission critical applications such as networkfirewalls, multi-function network security devices or web servers hasbecome the norm. However, even clustered systems can experienceunexpected malfunctions and are inherently more difficult to configure.When a clustered system fails the other systems in the cluster willmaintain the mission critical function, but the failed system will needto be restored. Restoration of the failed system could require anythingfrom minor configuration or policy changes to complete hardwarereplacement. Even mere configuration adjustments can be complicated in aclustered system. Therefore, a mechanism that provides an automatedprocess for recovering to new hardware or simply resetting a corruptedconfiguration would be very beneficial.

In one embodiment, each cluster of computing appliances includes aprimary node. The primary node is considered the primary owner of theconfiguration. In one such embodiment, when changes are made on theprimary node in a cluster configuration, a configuration bundle is builtand pushed out to the other nodes in the cluster. The bundle that isbuilt contains data for every node in the cluster. So the sameconfiguration bundle is pushed to every node, and each node isresponsible for applying that configuration to the operating software asrequired based on the shared and unique aspects of the configuration. Anadded benefit of this approach is that if the primary node in thecluster fails, another node in the cluster can become the primary andhas all the data required to build configuration bundles of the sameformat and push them out to the remaining nodes in a cluster.

In one embodiment, the configuration bundle includes configuration datacommon to all nodes in the cluster and configuration data unique to eachnode in the cluster. In one such embodiment, the IP address of each nodeis stored as part of the configuration data unique to each node in thecluster.

FIG. 6 illustrates an example embodiment of a process 600 for recoveringa not fully functional clustered computing appliance to a fullyoperational state based on a configuration bundle stored on nodes withinthe cluster. The process 600 does not require any previously backed upconfiguration data for any of the clustered computing appliances so longas at least one appliance in the cluster remains operational.

The process 600 begins by checking the integrity of the cluster 605. Ifany computing appliances (nodes) are found to be not fully functional610, the process identifies a fully functional computing appliance(node) 615. The functional node is used to create a DR/C payload 620that can be utilized to restore the non-functional node. The functionalnode is able to produce a Configuration Bundle that includesconfiguration information for all nodes in the cluster. Whenever changesare made to any node in the cluster, the changed node's configurationinformation is shared among all members of the cluster in order tofacilitate this recovery functionality.

The process 600 continues by saving the DR/C payload to acomputer-readable medium 625 to create the DR/C media. Thenon-functional node is then restored using the DR/C media with theprocess outlined above in reference to FIG. 5. In an example embodiment,the recovery process selects the proper configuration data within theDR/C media by matching to one of the device specific parameters, such ashostname.

In one embodiment, the restored node will be a clone of one of the nodesin the cluster, including, in some instances, the IP address or hostname of the node being cloned. In one such embodiment, a mechanism isincluded for changing the IP address or host name of the node beingcloned and restoring the node with a new IP address or host name.

Configuration Management—Networked Computing Appliances:

Also related to clusters are the creation of clusters, and the use ofconfiguration bundles in that process. The process of ‘clustering’ agroup of devices requires an exchange of configuration bundles andprograms which can extract the required data from each bundle to buildthe common configuration bundle. In one embodiment, the process forregistering a subsequent node to the cluster involves providing aconfiguration bundle from that node to the primary, having the primaryselect the relevant unique configuration data out of that bundle, andreturning a second configuration bundle which includes the entireconfiguration needed to create both nodes as a result. After the secondbundle has been restored on the secondary device, the nodes areconsidered clustered.

Configuration Management—Central Management:

In one embodiment, configuration bundles are used as part of centralizedmanagement of computing appliances in a network. In one such embodiment,the configuration data for centrally managed servers and for centrallymanaged clustered servers is stored or even formed by the centralizedmanager and applied to all the nodes in the network. The method ofdistribution is similar to applying configuration restores from anadministrative console, except that, in this embodiment, theconfiguration data is built on the central management device (it is nota piece of data that has been provided by that device), and it isdistributed in the configuration bundle format using the same processingthat would be used in each of the other cases.

It can be difficult to add new devices to centrally managed systems. Inone embodiment, a configuration bundle from the new device is sent tothe central management station. The central management station extractsthe relevant pieces of information. The configuration is then managed bythe central device and changes made on that server are applied to themanaged nodes, including the newly added node, as required using theconfiguration bundle format.

Migration to New Operating Software:

Migration between major revisions of operating software presentssignificant challenges, especially when the migration involves criticalnetwork components like firewalls, security devices or routers. However,not keeping up with a manufacturer's upgrades leaves you potentiallyvulnerable to new security threats not handled by previous version ofsoftware. Additionally, manufacturers' often provide useful new featuresin the new operating software, but do not support them in past versions.The key to a successful migration is maintaining the computingappliance's operational state. When there are significant changesbetween the operating software versions, it may be impossible for thenetwork administrator to maintain the computing appliance's operationalstate during upgrade. Therefore, an automated process to ensure anupgraded computing appliance maintains its previous operational state isneeded.

The process 700 illustrates an example embodiment of a process formigration of a computing appliance to new operating software (operatingsystem) while maintaining the computing appliance's operation state. Indiscussing the process 700 illustrated in FIG. 7 physical devices, suchas the target computing appliance 115, will be discussed in reference toFIG. 1.

One exemplary embodiment of the migration process 700 starts with thecreation of a Configuration Bundle on the target device 705. TheConfiguration Bundle could also be created by the administration console130, or any system running the appropriate software application. Someembodiments of the creation process 705 will also include a translationof the configuration data from the old operating software to the newoperating software. The translation process may include mappingconfiguration parameters between the different configuration datastructures. Once the Configuration Bundle is created, the next step inprocess 700 saves the Configuration Bundle to a storage device 710. Inan example embodiment, Configuration Bundle is saved to an externalstorage device 135, such as a USB flash drive. In another exampleembodiment the Configuration Bundle is saved on the AdministrationConsole 130. In yet another example embodiment the Configuration Bundleis saved on a network accessible storage device 140, 145.

Once the Configuration Bundle is safely saved on an external storagedevice, the new operating system is installed on the target computingappliance 715. Finally, the computing appliance 115 is restored to itsprevious operational state 720. In an example embodiment the restorationoccurs automatically if the USB flash drive 135 with a ConfigurationBundle is detected by the installation program. In another exampleembodiment the installation program prompts the network administrator(end-user) for the location of a Configuration Bundle allowing therestoration process to proceed automatically once the new operatingsoftware installation is complete.

Migration from a Competitor's Appliance:

Migration between appliances from different competitors can also presentsignificant challenges, especially when the migration involves criticalnetwork components like firewalls, security devices or routers. The keyto a successful migration is maintaining the computing appliance'soperational state. When there are significant changes between thecompeting appliances, it may be impossible for the network administratorto maintain the computing appliance's operational state during upgrade.Therefore, an automated process to ensure that a system migrated from acompetitor's appliance maintains its previous operational state isneeded.

Once again, a process similar to process 700 can be used to migrate theoperational state of a competitor's machine to a machine based on yourtechnology, while maintaining the operational state in the new computingappliance. One such process 900 is shown in FIG. 9. Once again, theConfiguration Bundle is created 905. However, in this embodiment theConfiguration Bundle is created from the configuration data on thecompetitor's computing appliance 905. In one example embodiment, theConfiguration Bundle is created by the administration console 130. Inanother embodiment, the Configuration Bundle is created by any systemrunning the appropriate software application. When migrating from acompetitor's computing appliance the creation process 905 will alsoinclude a translation of the configuration data from the competitor'soperating software. The translation process may include mappingconfiguration parameters between the different configuration datastructures. Once the Configuration Bundle is created, the next step inprocess 900 saves the Configuration Bundle to a storage device 910. Inan example embodiment, Configuration Bundle is saved to an externalstorage device 135, such as a USB flash drive. In another exampleembodiment the Configuration Bundle is saved on the AdministrationConsole 130. In yet another example embodiment the Configuration Bundleis saved on a network accessible storage device 140, 145.

Migration from a competitor's computing appliance is completed at 915 byupdating the target computing appliance 115 with the configurationinformation saved in the Configuration Bundle. In an example embodimentthe upgrade occurs automatically if the USB flash drive 135 with aConfiguration Bundle is detected by an initialization program run on thetarget device 135. In another example embodiment the networkadministrator (end-user) selects the location of a Configuration Bundlethrough a menu option on the target computing appliance 115 allowing theupgrade process to proceed with a Configuration Bundle saved anywhere onthe network 105 accessible by the target computing appliance.

In the above discussion, the terms “computer,” “appliance,” “device” or“node” are defined to include any digital processing unit. Examplesinclude any network appliance, personal computer, workstation,mainframe, server, or supercomputer capable of embodying the inventionsdescribed herein. It would also be evidence to one of ordinary skill inthe art that virtual appliances, PDAs, smartphones and other mobilecomputing devices could be included within the definition of “computer,”“applicance,” “device,” or “node.” Additionally, in the abovediscussion, the terms “network administrator” or “end-user” are definedto include any person operating or interacting with devices capable ofembodying the inventions described herein. Finally, in the abovediscussion, the terms “patch” or “update” are defined to include any newsoftware applied to the computing appliance that is not considered abase operating software or major revision to the operating software.Patches and updates are generally small upgrades that address specificsecurity or functionality problems identified within the base operatingsoftware or major revision. The term “package” is used more genericallyto describe any single upgrade in the operating software of a computingappliance. Depending upon usage, “package” could be referring to eithera “patch” or a new version of the operating software.

Although specific embodiments have been illustrated and describedherein, it will be appreciated by those of ordinary skill in the artthat any arrangement which is calculated to achieve the same purpose maybe substituted for the specific embodiment shown. This application isintended to cover any adaptations or variations of the presentinvention. Therefore, it is intended that this invention be limited onlyby the claims and the equivalents thereof.

1. A method for recovering a first node in a cluster, comprising:identifying a functional node within the cluster; creating aconfiguration bundle using the functional node's current configuration,wherein the configuration bundle includes configuration informationcorresponding to the functional node's current configuration; saving theconfiguration bundle to a first computer-readable medium; and restoringthe first node, wherein restoring includes: running a set ofinitialization code on the first node to achieve a first operationalstate; reading, while in the first operational state, the configurationbundle from the first computer-readable medium; and rebuilding the firstnode using the configuration bundle, wherein rebuilding includes movingto a second operational state based at least in part on theconfiguration information stored in the configuration bundle.
 2. Themethod of claim 1, wherein running the initialization code occursautomatically upon rebooting the first node if the first node detectsthe first computer-readable medium.
 3. The method of claim 1, whereincreating the configuration bundle includes: deriving a system databasereflective of one or more nodes in the cluster; reading meta dataassociated with one or more nodes in the cluster; and reading one ormore configuration files stored on the functional node.
 4. The method ofclaim 1, wherein using the configuration bundle includes: replicating asystem database stored in the configuration bundle on the first node;reading meta data associated with the first node stored in theconfiguration bundle; and applying one or more configuration filesstored in the configuration bundle to the first node.
 5. A method forcreating a clustered computer system, comprising: connecting a firstnode to a network; connecting a second node to the network; sending aconfiguration bundle from the second node to the first node; creating acluster configuration bundle on the first node; sending a copy of thecluster configuration bundle back to the second node; and updating thesecond node with the cluster configuration bundle.
 6. The method ofclaim 5, wherein creating the cluster configuration bundle includes:merging system databases from the first and second nodes; compiling metadata associated with the first and second nodes; building one or moresystem configuration files associated with the clustered computersystem; and saving one or more node configuration files associated withthe first and second nodes.
 7. The method of claim 5, wherein restoringthe second node with the configuration bundle includes: replicating asystem database stored in the configuration bundle on to the secondnode; reading meta data stored in the configuration bundle; and applyingone or more configuration files stored in the configuration bundle tothe second node.
 8. The method of claim 5, wherein updating the secondnode includes configuring the second node as a redundant node in ahigh-availability cluster.
 9. The method of claim 5, wherein updatingthe second node includes configuring the second node as a load-balancingnode in a one-to-many load balancing cluster.
 10. A method forsynchronizing configurations within a clustered computer system,comprising: selecting a primary node; registering other nodes in thecluster with the primary node; creating a cluster configuration bundleon the primary node, wherein the cluster configuration bundle containscluster configuration data and node configuration data for allregistered nodes; distributing the cluster configuration bundle to allregistered nodes; and updating configuration on all registered nodesbased on the distributed cluster configuration bundle.
 11. The method ofclaim 10, wherein creating the cluster configuration bundle includes:merging system databases from the all the nodes; compiling meta dataassociated with all the nodes; building one or more system configurationfiles associated with the clustered computer system; and saving one ormore configuration files from each of the nodes.
 12. The method of claim10, wherein updating configuration includes: replicating a systemdatabase stored in the cluster configuration bundle onto the node;reading meta data stored in the cluster configuration bundle; andapplying one or more configuration files stored in the clusterconfiguration bundle to the node.
 13. The method of claim 10, whereinregistering other nodes includes redundant nodes in a high-availabilitycluster.
 14. The method of claim 10, wherein registering other nodesincludes load-balancing nodes in a one-to-many load balancing cluster.15. The method of claim 10, wherein updating includes running aninitialization program on all registered nodes after distributing thecluster configuration bundle.
 16. A clustered computer system,comprising: a communication network; a first node operatively coupled tothe communication network; a second node operatively coupled to thecommunication network, wherein the first and second node form a cluster;a first computer-readable medium accessible by the second node, whereinthe first computer-readable medium includes: a cluster configurationbundle including configuration data corresponding to the first andsecond nodes; and a second computer-readable medium accessible by thesecond node, wherein the second computer-readable medium includes: aninitialization program, wherein the initialization program is configuredto use the cluster configuration bundle to restore the second node to afunctional state.
 17. The system of claim 10, wherein the configurationdata includes: a system database; meta data associated with thecomputing appliance; one or more configuration files corresponding tothe cluster; and one or more configuration files corresponding to thefirst and second nodes.
 18. The system of claim 10, wherein theconfiguration data further includes one or more software packages. 19.The system of claim 18, further including a remote server operativelyconnected to the communication network, wherein the initializationprogram is further configured to download the one or more softwarepackages from the remote server while restoring the second node.
 20. Thesystem of claim 10, wherein the first node is a primary node in ahigh-availability cluster.
 21. The system of claim 10, wherein the firstnode is a primary node in a one-to-many load balancing cluster.
 22. Amethod for adding a new node to a clustered computer system, the methodcomprising: connecting the new node to a network; identifying a primarynode in the clustered computer system; registering the new node with theprimary node, wherein registering includes sending a copy of the newnode's configuration bundle to the primary node; creating a clusterconfiguration bundle on the primary node, wherein the clusterconfiguration bundle includes cluster configuration data and individualnode configuration data for all registered nodes; distributing a copy ofthe cluster configuration bundle to all registered nodes; and updatingconfiguration on all registered nodes based on the distributed clusterconfiguration bundle.
 23. The method of claim 22, wherein creating thecluster configuration bundle includes: merging system databases from theall the nodes; compiling meta data associated with all the nodes;building one or more system configuration files associated with theclustered computer system; and saving one or more configuration filesfrom each of the nodes.
 24. The method of claim 22, wherein updatingconfiguration includes: replicating a system database stored in thecluster configuration bundle onto the node; reading meta data stored inthe cluster configuration bundle; and applying one or more configurationfiles stored in the cluster configuration bundle to the node.
 25. Themethod of claim 22, wherein updating includes running an initializationprogram on all registered nodes after distributing the clusterconfiguration bundle.
 26. A computer-readable medium configured toretain configuration settings for a computing appliance, thecomputer-readable medium comprising: a system database associated withthe computing appliance; meta data associated with the computingappliance; and one or more configuration files associated with thecomputing appliance.
 27. A computer-readable medium configured todistribute configuration settings for one or more computing applianceswithin a clustered computer system, the computer-readable mediumcomprising: a system database associated with the clustered computingsystem; meta data associated with one or more computing appliances; oneor more configuration files corresponding to configuration of thecluster; and one or more configuration files corresponding toconfiguration of the one or more of the computing appliances.